yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1283803] Re: keystone listens locally on admin port

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Kranz <dkranz@xxxxxxxxxx>
Date: Mon, 24 Feb 2014 14:53:48 -0000
Reply-to: Bug 1283803 <1283803@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This issue is caused by keystone listening globally for the public url
(port 5000) but only on localhost for 35357. I poked a little more and
found the cause.

Setting SERVICE_HOST in localrc causes devstack to produce these values
in keystone.conf:

admin_bind_host = dkranz-devstack
admin_endpoint = http://dkranz-devstack:%(admin_port)s/
public_endpoint = http://dkranz-devstack:%(public_port)s/

I thought the purpose of this env variable was to make the catalog
expose endpoints that are accessible from outside the devstack machine
so it is  surprising this also sets the bind host which makes it not
accessible off the local machine. Is this behaviour intentional?

** Also affects: devstack
   Importance: Undecided
       Status: New

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1283803

Title:
  keystone listens locally on admin port

Status in devstack - openstack dev environments:
  New
Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  I installed a vanilla devstack except for setting SERVICE_HOST in
  localrc so I could run tempest from another machine. Tempest fails
  trying to connect to adminURL and it seems to be because port 35357 is
  only open locally. The conf file comment says:

  # The base admin endpoint URL for keystone that are advertised                  
  # to clients (NOTE: this does NOT affect how keystone listens                   
  # for connections) (string value)                                               
  #admin_endpoint=http://localhost:%(admin_port)s/                                

  But this from  netstat. I would expect 35357 to be the same as the others. It is also possible this is a devstack issue but
  I'm not sure so starting here.

  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  tcp        0      0 *:iscsi-target          *:*                     LISTEN     
  tcp        0      0 *:40956                 *:*                     LISTEN     
  tcp        0      0 localhost:35357         *:*                     LISTEN     
  tcp        0      0 *:6080                  *:*                     LISTEN     
  tcp        0      0 *:6081                  *:*                     LISTEN     
  tcp        0      0 *:3333                  *:*                     LISTEN     
  tcp        0      0 *:8773                  *:*                     LISTEN     
  tcp        0      0 *:8774                  *:*                     LISTEN     
  tcp        0      0 *:8775                  *:*                     LISTEN     
  tcp        0      0 *:9191                  *:*                     LISTEN     
  tcp        0      0 *:8776                  *:*                     LISTEN     
  tcp        0      0 *:5000                  *:*                     LISTEN     
  ... elided ...

  And catalog:+-------------+-----------------------------------+
  |   Property  |               Value               |
  +-------------+-----------------------------------+
  |   adminURL  | http://dkranz-devstack:35357/v2.0 |
  |      id     |  39932d3dcf4340a98727294ed5ec71b8 |
  | internalURL |  http://dkranz-devstack:5000/v2.0 |
  |  publicURL  |  http://dkranz-devstack:5000/v2.0 |
  |    region   |             RegionOne             |
  +-------------+-----------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/devstack/+bug/1283803/+subscriptions

References

[Bug 1283803] [NEW] keystone listens locally on admin port
From: David Kranz, 2014-02-23